New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace request@2.79.0 by request@2.88.0 (or latest) #13

yocarbo opened this Issue Sep 11, 2018 · 3 comments


None yet
2 participants

yocarbo commented Sep 11, 2018


✗ Medium severity vuln found in tunnel-agent@0.4.3, introduced via ascii-art@1.4.4
Description: Uninitialized Memory Exposure
From: ascii-art@1.4.4 > request@2.79.0 > tunnel-agent@0.4.3

✗ Medium severity vuln found in cryptiles@2.0.5, introduced via ascii-art@1.4.4
Description: Insecure Randomness
From: ascii-art@1.4.4 > request@2.79.0 > hawk@3.1.3 > cryptiles@2.0.5



This comment has been minimized.


khrome commented Sep 15, 2018

so this is an exploit about using auth with unchecked user supplied credentials. The other issue is likewise around crypto that is not active or used in my application. Given that my use of request is an unauthenticated file transfer of text data, I would characterize my exposure surface to these issues as nonexistent. If this is the product of an institutional security autoscanner and we're just checking boxes in the name of security absolution, the right thing to do is submit a Pull Request with the change.


This comment has been minimized.


khrome commented Nov 1, 2018

I had other changes to publish, so I made this change as well. Thanks for the report.

@khrome khrome closed this Nov 1, 2018


This comment has been minimized.

yocarbo commented Nov 13, 2018

Thanks for update ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment